The latest in the Montclair Schools assessment leak investigation, including breaking news of New Jersey’s OFAC coming in to conduct an investigation:

Township Council Allows its Director of IT to Review Server

In a Montclair municipal memo dated December 29, 2013 sent to members of the Township Council from Town Manager Marc Dashield, he shares answers from the Director of Information Technology for the Township of Montclair, Joseph Fagliarone, with regard to the security of the shared network server between the township and the Montclair School district. According to Fagliarione, “It was determined that no hacking or successful intrusion into our network from the point of entry ‘Firewall’ was found.”

Fagliarione goes on to state “However it was noticed that the folder permissions where the “leaked” files were stored had the wrong permissions. This setting allowed anyone to be able to access the files from the internet.”

The Board of Education launched an investigation on November 1 to determine how 14 of 60 assessments were publicly posted online. When the board asked permission from the municipal council to allow an IT forensic review of the shared server, the council denied the request. However, they allowed their Director of IT to have access to the district’s data on the server, and it seems they did so without permission.

Barista Kids asked Superintendent Dr. MacCormack who was the person responsible for managing those folder permissions. She wouldn’t answer, saying that the question is part of the investigation.

Board President Robin Kulwin says that this memo was never sent, nor discussed with her and the Board. She didn’t know of it until it was passed along to her on Monday. It was also brought to her attention that the group Montclair Cares About Schools had posted the letter on its public Facebook page Sunday, January 5. “If we’re all working on this together, why wasn’t this not shared with us?,” she questions. She also questions the Council doing the very thing that they denied the Board to do.

Kulwin also says the board never thought the system was hacked, but rather were investigating an unauthorized release. She says access to the server is needed as part of the IT review to look into IP addresses and emails to see if the assessments were released.

Barista Kids reached out to Township Manager Dashield, as well as all the council members, early yesterday morning with questions on why they allowed their IT person to access district data on the shared server while they deny the board the same right, why they didn’t share the findings with the Board, and how Montclair Cares About Schools received the memo. We haven’t received one response.

When Barista Kids asked the PR person for Montclair Cares About Schools how they received the memo, she didn’t answer, but responded that she was “completely confused and surprised by that question” because she felt, “it is so unrelated to the issue of concern to the public, which is the new information contained in the memo. That is the germane thing here and as I expect you’ve noticed other media seem to see it that way as well.”

Office of Fiscal Accountability and Compliance (OFAC) Comes in to Conduct Investigation

The Board has put out the following press release late Tuesday night:

The New Jersey Department of Education today informed the Montclair Board of Education that the Office of Fiscal Accountability and Compliance (“OFAC”) will conduct an investigation into a potential data security breach related to the unauthorized release of proprietary and confidential assessments belonging to the Montclair Board of Education. OFAC was one of several government agencies that the Montclair Board of Education contacted soon after learning of the unauthorized release of certain of its assessments.

Board intends to support fully OFAC’s efforts and will schedule a meeting of the Board as soon as practical to discuss suspending its own investigation. The Board will continue to provide any and all support requested by OFAC.

In response to OFAC’s involvement, Board President Robin Kulwin stated, “I’m very pleased that OFAC has decided to conduct its own investigation related to the district’s computer systems. I reached out to the Department of Education shortly after learning of the assessment release. I’m confident that OFAC’s investigation will enable the Board and the Montclair community to obtain a detailed understanding of the events leading to the unauthorized release of our assessments. More importantly, OFAC’s involvement will enable the Board to shift its focus back to its primary mission of governing the public schools.”

85 Comments

Both the township IT person and the school districts network administrator came to the same conclusion, because they both reviewed firewall logs searching for an intrusion, and both found the server to be secure. The folder where the assessments were stored had wrong permissions allowing anyone to be able to access the files from the Internet. Teachers posted assessments on what they believed was a password protected site, only to have changes made to their assessments by Dept. Of Instruction.
Both the Montclair Times, Star Ledger and Montclair Patch published the same information as MCAS. Were they also asked how they received the memo? Was the BOE asked how much money, to date, has been spent on this “investigation”, particularly in light of four school staffs coming before the BOE reporting lack of books, materials, and staff needed to implement the new curriculum? Was the BOE asked how they intend to respond to the possibility of lawsuits based on this investigation, that will continue to cost money?
Pertinen questions need to be asked of those responsible for the oversight of the education of Montclair’s children, not only of people with a different opinion?

“Both the Montclair Times, Star Ledger and Montclair Patch published the same information as MCAS. Were they also asked how they received the memo?”

Being that MCAS posted the memo before any other news media wrote the story or before the Board and district knew of the IT review and findings, I feel it is relevant to ask them how they received the memo.

Georgette,
why not ask the other questions posed by meccamagic, then? why not aask David Deutsch how he can condemn the Town Council discovery as not an independent investigation after voting to have the BOE attorney conduct the board’s investigation? come on now. this has become a farce, a divisive embarrassment to the community, a waste of money and a smear campaign to protect the reputation of the superintendent and entrenched positions of particular board members.

Not for one minute do I believe that the BOE and Superintendent had no knowledge of what was in the memo; they already knew, based on their own network administrator, that the assessments were not password protected as claimed. How much money has, is, and will be spent in this ongoing attempt to control/manage the voices of opposition, cost the taxpayers, and ultimately, the children, of Montclair?
OFAC has been sent to rescue the superintendent-the finding will be the same, but the BOE will be vindicated due to the assessments being posted.

Certainly, this new twist to the debacle that the Monclair School District is becoming is no more than political protection coming from Trenton to the Montclair Board of Education (MBoE) and School Superintendent MacCormack in their hour of need.

Montclair is, after all, Commissioner Cerf’s hometown. Superintendent MacCormack came from Trenton with a mission and she has been willing to go to extremes to have the Common Core State Standards (CCSS) and Partnership for Assessment of Readiness for College and Careers (PARCC) programs implemented just as wanted by Trenton and without any care or consideration for the town or its people.

There will be no accountability from the MBoE on the hundreds of thousands of dollars (?) given to Mark Tabakin for this sham of an investigation. The MBoE members learned nothing from this investigation. Nada. They only succeeded in silencing critics who were afraid of having their lives turned upside down by a rogue lawyer armed with illegitimate, even court defying, subpoenas.

Why is the NJDE’s Office of Fiscal Accountability and Compliance (OFAC) on now, more than 2 and a half months after the “security breach” coming into play? Why did they wait for the investigation to be cut out from under its feet by a Superior Court Judge on behalf of the ACLU, and then chopped at the waste by the Town Council before entering the fray? Will the OFAC investigate all the money handed over to Mark Tabakin for this sham operation? Again, the cover up is taking on new dimensions.

From what we know now from the good work done by Network Administrator Alan Benezra and Director of Information Technology Joseph Fagliarone, Superintendent MacCormack had to have known on Friday, October 25, that the “security breach” was nothing more than another dismal catastrophe under her command (not unlike the Glenfield gun incident earlier in the year).

meccamagic questions are completely correct and well stated. On Saturday morning, October 26, prior to the announcement of the leak of the assessments by MCAS, a “tipster” had informed Baristakids of the assessment leak. Baristakids is the first one to have been informed about the “leak” by a “tipster” and still the MBoE’s investigation did not come here to ask question? Why were four innocent commentators on Baristkids subpoenaed to have their identities disclosed but Baristakids itself never subpoenaed or questioned?

Does the MBoE need the local press? Does the local press need the MBoE?

meccamagic’s questions should be asked by the local press. However, the local press has far too long given prominence to the absurd, disgraceful and lawless behavior of the MBoE. It is time for the real questions to be asked and full and truthful answers to be provided. Or will this local press help the MBoE sweep again its failures under the carpet?

What does Montclair gain by supporting a rogue and lawless Board of Education?

Georgette, as I understand it, on December 9 you were served a subpoena to provide identifying information on “jdmccab”, “lennythebrave”, “assessmentgate” and “idratherbeat63.” http://www.aclu-nj.org/files/6713/8618/9800/MBOE146_Subpoena_of_G__Gilmore_RGL.pdf This subpoena only requested identifying information on innocent posters, and nothing regarding the information that the “tipster” had provided BaristaKids in advance of the information being made public.

1. Were you also served another subpoena requesting you to provide information on the anonymous “tipster” who reported to you, on Saturday morning, October 26) that the assessments had been available on the Internet? I am not aware of such a subpoena. Could you provide a link to where you wrote about it?

2. Were you interviewed or questioned (under oath or otherwise) by the MBoE investigation? I am not aware that you ever reported on that. Could you provide a link to where you reported being questioned as you stated above? I was not aware of it.

3. If you were questioned, did supply to the MBoE the name or identifying information on the “tipster”?

What I stated in my posting above is completely correct, unless there was a further subpoena or questioning that you did not report (or which I had not seen you report).

I think the term “shared server” is very likely a non-technical description of the hardware setup in the shared services arrangement between the MPS and and the Township.

The idea that MPS data and township data are on same “server” is frightening to me. Maybe public sector IT design & practices are different from what I am used to in the private sector. Maybe everyone (DCS, Police, MPS, CFO, IT, etc) has access to the same single server and the only security is at the folder level. If so, then I can see how the Township IT Director has the ability to make a determination that an MPS folder had the wrong permissions settings. Of course, considering the Council’s resolution, the IT Director should have never touched the MPS’s folder. The only shared data folder is where the network administrator commingled the archived emails. The assessments would certainly not be in the same folder.

The Township’s IT Director may gone into the domain of the MPS and if so, his boss, the Township Manager, and the Council have a problem.

My take away is that someone authorized to access the system unethically posted the tests. Foul #1. The BOE should have had access to the server to determine who posted this. The Town Council voting to deny the BOE or their investigator access to determine this was major foul #2. We should be filing OPRA requests for e-mails and text messages of the council persons for why they even put this to a vote.

Another major foul identified by Barista kids was why the Town allowed their IT person to access the district’s data when the BOE wasn’t allowed access- “Barista Kids reached out to Township Manager Dashield, as well as all the council members, early yesterday morning with questions on why they allowed their IT person to access district data on the shared server while they deny the board the same right,…”

Politics as usual. Unfortunately, with Sean Spiller with executive positions with both NJ state and local teachers unions, it seems he will put the unions needs and desires above those of the residents of Montclair and those of the students in the schools. Many are also disappointed with Robin’s vote given her position at the MFEE. I think two councilors should have abstained from the ridiculous vote to block the BOE from having access. Sean Spiller should also not be on the BOSE given his executive position with Teacher’s Unions. Are there not ethical laws against this?

@sohobound – GoBookee doesn’t allow user-submitted content to be posted; it’s a web scraper that posts unprotected docs that it finds. Even if someone went in through the district’s unprotected portal and accessed the assessment tests, they would not have been able to upload them to GoBookee. It’s impossible.

Regarding the most recent chapter in our Board’s saga, here are my thoughts:

For the majority of 2013, the BOE was on a roll. But as 2014 unfolds, it’s becoming clear that their confidence and sense of infallibility is waning.

MacCormack’s divisive Strategic Plan was unanimously approved in June. Her controversial Common Quarterly Assessment tests (CQAs) were hastily assembled over the summer and stealthily scheduled for an October launch. The Board ended the formal participation of the Montclair Education Association (whose teacher members were viewed as noisy, fault-finding irritants by the BOE) in Board meetings in September. Concerns and questions from the community about these contentious actions were casually dismissed or simply ignored.

The Mayor’s silence on the BOE’s provocative behavior signaled local political consent, and NJ DOE Commissioner Cerf, a MacCormack supporter, also had the Board’s back. They were free to do whatever they wished with no repercussions – or so they believed.

When 14 CQAs appeared on rogue website GoBookee.com prior to the first scheduled assessment tests in late October, the Board asked Tabakin to investigate. While Kulwin initially stated that it was “highly unlikely” that the tests were hacked by an outsider, Tabakin suspected foul play. He believed that “someone somewhere pushed the send button”, and he issued subpoenas (all authorized by Kulwin) to seek information that would help track down the perpetrators. These subpoenas just so happened to be served exclusively to the BOE’s most vocal critics in the community.

Alan Benezra and Joseph Fagliarone disagreed with Tabakin. They believed that the CQAs appeared on GoBookee not because of a hack or breach, but because the tests weren’t properly protected on the district’s website and were web scraped by GoBookee. In their review of the firewall and server logs the day after they learned of the assessment test leak, Benezra and Fagliarone determined that there was no “successful intrusion” into their network.

If it’s proven that Kulwin and/or other BOE members were told that the CQA uploads weren’t caused by an intentional breach, but they still decided to launch subpoenas in early November as a means of harassing their critics, then they should face legal consequences and also be held personally liable for the six-figure cost of Tabakin’s investigative services.

2014 may have just started, but we may discover that the aftermath of the Board’s 2013 unlawful subpoena pursuits has yet to begin…

Now that it’s become apparent that the breach was caused by bad security settings I wonder if we will see any retractions or apologies from those who accused parents and/or teachers of sabotage.

The Mayor had called out Montclair parents for “cheating” and for their “obsession with success at any cost” and the teachers for “poisoning the waters” in order to derail the assessments.

The Star Ledger’s editorial on the subject made the same accusations as the Mayor, and even called out anyone who didn’t like the Common Core or standardized testing as possible culprits. The Star-Ledger’s editorial page editor Tom Moran lives in Montclair so he surely knows now what has been revealed, but I’m not holding my breath for a correction or a retraction.

And now the Super, who no longer has a boogie man to rally around, has been given cover by her former employer at the NJDOE, who now suddenly thinks they need to get involved months after the fact, just as the BOE’s investigation is blowing up in their face. The NJDOE will surely find that there was a breach due to bad security, but the odds that we will find out what truly went on with the BOE’s investigation just went way down.

@montclairpublic you are completely correct: “This has become a farce, a divisive embarrassment to the community, a waste of money and a smear campaign to protect the reputation of the superintendent and entrenched positions of particular board members.”

MBoE Member David Deutsch attacks on the Town Council and, more recently, on Alan Benezra are deplorable. He is completely without civility or respect, and certainly does not understand how government works or his place in it.

The low point of it all came when MBoE Member Anne Mernin proclaimed “I will not even debate the legality of this investigation.” And this, after the unlawful investigation had gone even further to directly disobey the order of a Superior Court Judge.

Many innocent people have been damaged by the fear and unlawful intrusion of the MBoE into private lives in order to stifle criticism and allow the reckless destruction of decades of building a leading public education system.

We still do not know how much money Mark Tabakin and his posse of subpoena swinging investigators lifted from the town coffers. But now we have a town more divided than ever, where people are fearful to speak and where the MBoE believes it is far and above even the Town Council.

Perhaps this MBoE thinks that the backing of Trenton permits it to be as ruthless and lawless as it wants. This is surely no longer a government body by the people, for the people; rather, a handful of appointees interested in furthering their own power, trips to Trenton and Washington being more important than textbooks for 3rd graders. They are fighting for a higher cause than simply a child learning her multiplication tables: personal power and prestige in their local community.

soho, with all that has been revealed I question your conclusion that someone “unethically posted the tests”. It seems highly unlikely that someone authorized to access the server “posted” the assessments. That would assume that someone with network access would go so far as to turn off the security protections for just these specific files, but then only leave the documents there on the network with the hope that someone might stumble across the unprotected files, or that they could coax a content thief like Gobookee to come steal the assessments.

As a Montclair taxpayer and parent in the district, I would like to know how much money our BOE spent on this investigation (and not on our children) and are we really to believe the BOE did not know about the memo?

And as a NJ taxpayer how much of our money is the State now going to spend on perpetuating this sham of an investigation?

@sohobound No one can blame the MFEE for the assessments being on the Internet. This is due only to Superintendent MacCormack. Suggesting that union politics played a role in the MBoE investigation or the stopping of it is simply silly.

We know today the farce of this MBoE investigation because of the legitimate and important questioning of Councilor Spiller. We know that what Superintendent MacCormack said from the beginning was not true: the assessments were posted by her (herself or under her and only her responsibility) to the District site with no password protection. Anyone, including you, could have accessed them. What Superintendent MacCormack told the town, told The New York Times and The Star Ledger, was simply not true.

And Superintendent MacCormack had to have known that when she left her office on Friday evening, October 25, to go home (to Connecticut? to Philadelphia?). Because by then she had ensured that the “security breach” was repaired: she had ensured that the assessments were in a password protected file. She went “home” hoping no one would ever know.

And more than a week later, on Friday, November 1, when the MBoE organized this witch hunt of an investigation, including Mark Tabakin’s wonderful 2013 Christmas bonus, they too in their secret meeting at 5 pm had to have known that this all was simply another enormous goof from Trenton’s well-loved Superintendent MacCormack. (After less than a year in Trenton she was also involved in similarly leaked assessments.)

Superintendent MacCormack got away with the fiasco she led around the Glenfield gun incident. Certainly she could find someone to throw under the bus for her having made the assessments public. Hmmm, who could she find?

@Frank Rubacky The answer to your question “The obvious and significant question would be who created the network folder?” was obviously known to Superintendent MacCormack by Friday evening, October 25 (before the anonymous “tipster” reported it to BaristaKids on Saturday morning, October 26). It would also have been known to the MBoE at its secret meeting on Friday, November 1, that launched the investigation.

This MBoE investigation was never an investigation into “leaked assessments.” That was only the pretense and a cover up. The real investigation was into “incidents of conduct contrary to the Board’s best interest,” as the MBoE November 1 resolution authorizing the investigation clearly said. It was an investigation to consolidate power over the town and silence criticism. It was a scatter gun investigation aimed to instill fear, to create distrust between citizens (as Mayor Jackson had done in his statement a few days before), and to further fortify the MBoE.

@Frank Rubacky Answer: Superintendent MacCormack was responsible for the security of the District’s website. Superintendent MacCormack claimed that the assessments were password protected. They were not. She knew that.

It doesn’t matter “who created the file.” It matters who was responsible.

And not being honest with the townspeople and the local, state and national press does matter.

Mayor Jackson has been wrong about Superintendent MacCormack and MBoE in every statement he ever made about them, including his own appointments.

Let’s try this again: Teacher Portal/Skyward are the network folders used by teachers to post the assessments; Teacher Portal is password protected, as is Skyward (supposedly); Teacher posted assessments were not returned to staff in the same format or with same questions as originally submitted; assessments were changed in Central Support, Department of Instruction, and final DOI versions were returned to schools. The district has had problems with Skyward most of the school year. In October, both the Township IT person as well as the District Network Administrator concluded that the assessments were not password protected as claimed, and were therefore subject to being accessed on Internet.
We are beyond the “how” as the point of concern. The focus at this time is the cost to date of this investigation, projected costs for present and any upcoming court cases and/or settlements, how these costs will translate into cut programs, lack of books, materials, and personnel. And when it will stop.

@sohobound, if you look at the timeline, the database was accessed by both a school district employee and a city employee BEFORE the town council voted to deny the school board access to the database, so no foul there.

And the idea that someone put information in a folder with the wrong permissions in the hopes that some web-scraping software would swing by and post it seems a little far-fetched. So, probably no foul there, either.

I had a conversation over the holidays with a woman who kept insisting to me that it was going to turn out to be “a bad teacher” who was “afraid to be assessed” despite the fact there is absolutely no evidence of this. It got me wondering why so many people are obsessed with the idea that the tests were posted in bad faith by a disgruntled school employee intent on disrupting the superintendent’s agenda.

Then I realized that the school board itself–as well as the district office–has been talking such smack about the Montclair teachers that some people were starting to believe our schools were full of nothing but bad and lazy slackers who had nothing but evil in their hearts and who want to make our kids look like fools on the Common Core tests just to lower the value of our real estate.

Now I know that “anecdote” is not the singular of “data,” but I have to say that while some of my son’s teachers have been better than others, I haven’t encountered one I would label “bad” or “lazy.” They’ve all been hardworking and genuinely seem to want the kids to learn. And furthermore, when I’ve ask parents about their experiences at the middle schools (since my kid is headed there next), I hear overwhelmingly positive reports about the teachers at all three of them.

And while I’m sure there are some less than stellar teachers in Montclair, I honestly believe that they are the exception instead of the rule. And it would be nice to see the BOE and the superintendent start acting like they know this.

Georgette, you are my hero and role model. Way to follow this story and stick up for the facts.

So the Town Council blocked the BOE’s investigation, then conducted its own investigation on the sly, and then released it to a bunch of parents without even telling the BOE… What chutzpah! It just beggars belief. Do they think they can do anything they want without having to answer any questions? Unbef#*kinglievable.

Where did this spokesperson from Montclair Cares learn her PR? Responding to Georgette’s perfectly reasonable question with some baloney about the public interest is straight out of the Soviet playbook. What is this, the People’s Township of Montclair?!?

You say “if you look at the timeline, the database was accessed by both a school district employee and a city employee BEFORE the town council voted to deny the school board access to the database, so no foul there.”

IRB,
My question was about the network folder, not a file. You didn’t answer my question. You substituted my question with your own and then answered yourself. Let’s be clear about this.

meccamagic,
The Manager’s memo to the Council was dated 12/29. More than two weeks after the Council’s resolution that the Township should & would stay out of this issue. The memo’s intent was characterized as sharing answers with the Council on server access. I just don’t understand why the Manager would write such a memo when he got a resolution from the Council 2 weeks earlier to stay out of this. Was the Council still making inquiries as to what happened? When does the desired healing start? After the Township makes it own, independent determination of the facts?

If you go back and look at the Montclair Times article, you will see that Mr. Benezra and Mr. Fagliarione accessed the database last fall immediately after the assessments were discovered on Gobookee. That is also when they discovered that the assessments were not secured on the database and reported their findings to the BOE.

The memo is dated December 29th because it was written in response to a request for information made by Sean Spiller a few days earlier. The investigation itself was not prompted by this request. It had already been concluded. The memo was simply reporting findings which had been made last fall.

Third Ward Councilor Spiller replied, “”The decision to deny access was driven by the unfortunate fact that this issue has pitted neighbor against neighbor and has created a divide in our community. A majority of us on the Council simply felt that as leaders, it is time to look for ways to come together. This current process seems only to be pushing families further apart from one another and solutions further away.”

@fishoutofvodka is correct and walleroo is wrong (again). No investigation was done “on the sly” by the Town Manager or the Town Council. How disrespectful of walleroo even to suggest that. At a public Town Council Meeting (and not at a secret 5 pm Friday evening meeting), a Councilor asked legitimate questions about the town’s website and received correct and legitimate responses.

Notice, none of this required paying a “conflict-of-interest-up-to-his-teeth” rogue lawyer a hundred thousand dollars or more. None of this required fake and illegal subpoenas going after anonymous supporters of good government. None of this required a cover-up and lies.

And all of this information would have been known to Penny Elizabeth MacCormack at “home” on the weekend of October 25th hoping and hoping and hoping that no one discovered her blunder.

It is not new information. It is not about the date of a memo, which is from public authorities, written on the taxpayer dime and everyone is entitled to know (yes, walleroo, including parents of children whose education is being ruined by this Superintendent and MBoE).

Since when does a board of education tell its town council what it can and cannot do with its own data?

Why do people want to protect those who have repeatedly broken the law?

If that is the case, can you explain why the Council never publicly stated, nor told the Board (according to Kulwin) that they did an IT review and shared their findings?

When I questioned the Council after their vote on December 11, I received three responses from those who voted to deny access. Two said it was because of the divisiveness and one told me it was because she didn’t want private municipal data available to the Board’s IT review. Not one member publicly said it was because they did a review and found no hacking or intrusion or that the permissions were wrong.

So I see that the questions about the ongoing cost of this mess won’t be asked. Why the money that has been spent and continues to be spent is not as important as finding a non-existent leaker, trying to damage the reputation of a BOE member, identifying anonymous bloggers, or trying to “throw shade” on an opposition group leads me to question why this BOE and superintendent is being protected? and by whom? (oops, more questions)! So I guess, as a taxpayer, and Family member with children attending Montclair Public Schools, I will have to ask it myself. And I expect an answer.

Georgette, in your ongoing efforts to white-wash this unlawful board of education, you miss the point continually. No one said the Town Council “did a review.” Councilor Spillar asked a question. Mark Dashfield went to those who new and asked for answers. He then put it in a memo.

What on earth is wrong with that? You and wallerloo’s suggestions that the Town Council “did a review” and asked people to “access data” that the MBoE could not access and that all this is done by the bad people on the Council (not the good Mayor with his Thurgood Marshall Award or the 1st Ward Councilor) “on the sly” is simply assists the covering up of the illegal and unethical investigation carried out by the MBoE.

Why did not Superintendent MacCormack and the MBoE Members tell us in October what was in the December 29 TC memo? Did you ask them that? Did you ever ask the MBoE members and Mark Tabakin why they waited more than six weeks after the security breach to even consider looking at their own database as part of the investigation?

Civil rights were tread on by this MBoE. People had their privacy invaded. It cost individuals a great deal of money in legal expenses. Taxpayer money was frivolously wasted. A situation of fear and distrust was created by the Mayor and by the MBoE. But you want to find fault with five people in town who did the right thing?

It appears that a great many people – apparently including the Town Manager as well as most people here – don’t understand the concept of a Firewall. This isn’t too surprising or even problematic, for the most part. It’s not actually a part of what most people need to know.

A firewall is responsible, at a simplified level, for blocking unauthorized access. If it recognizes an attempt at unauthorized access, it prevents this from succeeding.

An implication of this is that one cannot necessarily discern from a firewall if any unauthorized access succeeded. The only unauthorized access that could succeed is one that, by definition, is not recognized by the firewall.

As I wrote: it’s no big deal that the Manager doesn’t understand this. I wouldn’t expect the members of the Town Council, the BOE, or the Superintendent to know this either.

This is one reason why, when facing this type of issue, experts are required.

The two experts being used by the town for this are the two people responsible for the systems in question. This is inappropriate. It is similar to someone proofreading his or her own work. It is very easy for the original author to miss what is or isn’t there as he or she sees what was intended to be there rather than what actually is there.

This is one reason why, when facing this type of issue, outside experts are required. The BOE tried to this this. The Town Council prevented this. The BOE acted responsibly. The Town Council did not.

I’m pleased that the state is involved, therefore, if only because – presumably – they can get past the Council’s obstruction and actually find out what occurred (assuming that enough time hasn’t gone by that evidence has been lost).

Ultimately, this is about protecting the information the schools retain. Whether it is the information about the children, about the faculty, or something else, the school district is responsible for protecting that information. That information “leaked” into the wild means that it can leak. That it can leak means that we’re at risk of this occurring again unless the mechanism by which this occurred is identified and corrected.

As a parent, I am outraged at the Council’s obstruction of this process. It shows a complete lack of concern about our children. Hopefully, with the state involved, the Council’s obstruction will cease.

People also seem to be very excited about the assertion that the directory was insufficiently protected. Even if we are to take the statement at face value, it tells us very little. Consider the question: how did this come to be the case? Possibilities include:

o An insider made a mistake

o An insider deliberately did this

o An outsider deliberately did this

The second of these is what we’ve been calling “a leak” and the third is what we’ve been calling “a break-in”.

The same possibilities that existed before we learned this exist afterward.

As I wrote: these issues aren’t really a part of most people’s awareness. It’s no surprise, therefore, that people aren’t grasping all the implications (or lack of implications). But I also see above silliness like “Superintendent MacCormack was responsible for the security of the District’s website”. By this same “logic”, the President should be impeached because of the problems with the federal ACA website.

Admittedly, some people are arguing for that. It’s unfortunate that we’re seeing the same level of “logic” here.

On the other hand, Target recently had a huge security breach. Nobody is calling for the CEO to resign over this. The idea is nonsensical…unless it serves someone’s pre-existing agenda.

One point raised above with which I do agree is that this is costing too much. Had the audit been permitted to move forward as it should have been, this would have been far more straightforward and less expensive. We should be asking, therefore, what agenda is served by either (1) leaving our children at risk or (2) making this process unnecessarily contentious (and therefore expensive)?

I expect – and hope – only network administrators can setup folder permissions. Administrators are usually the only people that can define and enable the security logging function. They would be the only ones to do the same for the auditing functions.

The Township Director of IT is quoted as saying, “However it was noticed that the folder permissions where the “leaked” files were stored had the wrong permissions. This setting allowed anyone to be able to access the files from the internet.”

This quote is saying:

1) the FOLDERS had incorrect permissions allowing open access to the FILES within the folders. This is news to me as I understood since this story broke that the issue was the FILES were not password protected.
2) Anyone from the internet (not the intranet) could access this folder.

So, taking these point 2 at face value, I have a hard time giving any significant weight to the other quote, “It was determined that no hacking or successful intrusion into our network from the point of entry ‘Firewall’ was found.”

I believe if you read the Montclair Times reporting on this subject, you will see that Mr. Benezra claims he did report his findings to the BOE.

Additionally, I believe you will see that the members of the Council themselves were unaware of the investigation until well after the meeting on Dec. 11. The memo about the investigation was written because Mr. Spiller asked if the town’s database was secure. The response he received from Mr. Dashield detailed the work Mr. Benezra and Mr. Fagliarione did last fall in the immediate aftermath of the “leak” to see if the server was hacked.

I don’t know why Ms. Kulwin claims the Council did an IT review and didn’t share their findings with the BOE. Mostly because I’m not actually sure that is what she’s claiming. I think maybe she means that they didn’t share the memo with her (maybe the memo counts as an IT review?), not that they purposefully kept knowledge of Mr. Benezra and Mr. Fagliarione’s investigation from her. I believe she’s been aware of Mr. Benezra’s conclusions since this fall. But you should ask her for clarification on this, not me.

Frank/Andrew – your IT contributions are of value, but you’re sort of pulling things off topic here. The big picture issue is this:

If it’s proven that Kulwin and/or other BOE members were told in late October that the CQA uploads weren’t caused by an intentional breach, but they still decided to launch subpoenas in early November as a means of harassing their critics in the community, then they should face legal consequences and also be held personally liable for the six-figure cost of Tabakin’s investigative services.

“Georgette, in your ongoing efforts to white-wash this unlawful board of education…” Please don’t do that. Georgette’s comments clearly show she does not share the same perspective and feelings on the subject as many of us, but to suggest a white-wash is unfair.

@Frank Rubacky You stated abvove: “This is news to me as I understood since this story broke that the issue was the FILES were not password protected.”

On Monday, October 28, after a weekend at home hoping no one would discover her blunder (and unaware of the anonymous “tipster” that informed BaristaKids) Superintendent MacCormack was quoted in the The New York Times: “She said that only “teachers and senior staff here would have password access” to the secure web portal that contains the exams.” And on Tuesday, October 28, she exclaimed indignantly to The Star Ledger “I don’t intend to be the Fort Knox for security.”

Superintendent MacCormack has repeatedly claimed the assessments were “password protect.”

Perhaps you have been following an entirely different story? Or why did you fail to recognize from the beginning, as so many other people did, that Superintendent MacCormack and the MBoE were simply involved in a cover-up and the search for a scapegoat.

Why do some people care so much about unlawful people and care so little about good people like Charlie Miller and Alan Benezra? How can people condone, even encourage, illegal investigations and scapegoating? What lessons are we teaching our children?

This has nothing to do with good or even decent education. Shame in a town overwhelmed by pretenders.

agideon – great point. The files could not have been accidently grabbed by gobookee or anyone unless the firewall is not properly configured. If that was the case then all BOE and township files (since they are on the same server)could be accessible to anyone on the internet. This seems very unlikely.
The fact that the IT folks who investigated said “no intrusion occurred” without explaining how these files could be taken and posted on the internet says that they do not really know what has gone on. I don’t think that we can state definitely yet if this was a breach of security or an intentional act.

Andrew, leaving aside the firewall issues, if #2 (an insider deliberately did this) or #3 (an outsider deliberately did this) then why would they simply leave the documents sitting there on the server and not actively do something to make them public? If someone went so far as to break the law and illegally access the network why would they only change the security access and not steal the actual documents? Why go to all the trouble of breaking in and risking serious legal ramifications just to turn off the security protections?

As I said to soho above, that theory assumes that someone with access to the network would turn off the security protections only for just these specific files, and then leave the documents there on the network with the hope that someone might stumble across the unprotected files, or that they could coax a content thief like Gobookee to come steal the assessments. Logically, that makes no sense.

“If it’s proven that Kulwin and/or other BOE members were told in late October that the CQA uploads weren’t caused by an intentional breach”

This is not quite correct. They could be told anything. It doesn’t mean that they’d be correct to take that statement at face value. After all, we now have this memo from the Township Manager that is supposed to clarify matters. As I hope I’ve shown, it does not.

The reality is that we’re all still largely in the dark on this matter. The point of an investigation is to enlighten us all as to what did (or did not) occur. The council claimed to block the investigation because it was divisive. Unfortunately, keeping us all in the dark – and thereby leaving people free to create whatever conspiracy theories fit their agendas – is more divisive than the truth could possibly be.

At least, with the truth, we’d all have that in common.

This is yet another reason why the council’s obstruction was irresponsible, and why I’m pleased to see the state getting involved.

tryin, the word “posted” has been thrown around a lot here. The website where the assessments were found does not allow users to “post” content. You cannot log in to Gobookee and upload documents. That is not what the website is for. Gobookee gathers/steals content from the web, often from users computers, and posts that content in hopes that others will want to pay Gobookee for that content. Once they have your credit card info you will likely get false charges on your bill. That’s their business model.

Someone with the ability to break into the district network would surely know of a slew of free websites to post information to get the most exposure. Gobookee would not be on that list.

@State Street Pete I appreciate your caution as well as your other contributions here. I weighed my words heavily, but Superintendent MacCormack and the MBoE could only have come this far with the support of the press.

As you have pointed out above (and earlier as well, I believe), The Star-Ledger’s editorial page editor Tom Moran (a Montclair resident) took the uncritical, divisive and destructive line of Mayor Jackson and the MBoE and published a caustic and disingenuous editorial purposely supporting the witch hunt and cover-up.

The Editor of the Montclair Times, Mark Porter, bragged on TV34 of his “inside” information on the subpoenas even before those targeted were aware of them. (He could have only had this information from the MBoE or Mark Tabakin.) He behaved as though they were perfectly legitimate subpoenas supporting a perfectly legitimate investigation. Of course, his support of the MBoE’s illegal investigation gains him ongoing “inside information” and quotes.

Repeatedly those who make criticize the MBoE are challenged (often wrongly) by Georgette in the comments. Never have I seen anyone supporting the MBoE challenged on their facts (and it is plainly amazing the number of ridiculous things that have been said to support the MBoE).

Assessmentgate queried on Patch and here on BaristaKids if the confidential information on the School District website was secure weeks after the investigation began. Superintendent MacCormack replied here on BaristaKids saying that someone had said the website was not secure (which was not true) and that indeed it was. Georgette joined in with Superintendent MacCormack saying that Assessmentgate’s query was as good as an accusation. It was not.

And then at the last Board of Education meeting, even after the assurances that the website was secure by Penny MacCormack, David Deutsch, in his embarrassing attack on the Town Council, claimed the MBoE needed (more than six weeks after the investigation began) to investigate their own website to know if the data on it now was secured.

Georgette was praised for her conduct by many of us, myself included, when Assessmentgate reported on the MBoE subpoenas that Mark Tabakin issued. Only later did Georgette admit to me privately that she had never been served the subpoena and was not even aware of it until Assessmentgate reported it here. Still she silently accepted the praise.

Today she stated that BaristaKids was questioned in the context of the MBoE investigation and she reported it. But she refuses to now say by whom (a member of the MBoE, Mr. Tabakin, someone else?), under oath or not, where, when? And where did she report it?

Now to ask suggestive questions and create conjecture about five members of the Town Council who did the right thing seems to continue in this same line. Indeed, it is fine that she ask those questions of the Town Council. But where are the more obvious and glaring questions into the wrongdoings of the MBoE or the blunders of Superintendent MacCormack?

It is clear that both Superintendent MacCormack and the MBoE have broken the law. There is no doubt about that. Those of us who followed this story could say from the beginning, on November 1, that this MBoE investigation was nothing but a witch hunt and a cover up. But the local press and The Star Ledger buried their head in the sand, refused to ask obvious questions, and pretended this was a legitimate, even needed, investigation.

Innocent people have been hurt and incurred serious expense. The town has been divided. Criticism stifled. Unfounded suspicions created and maintained. Civil and Constitutional rights have been trampled. Money was wasted on a rogue lawyer. Still those who have a responsibility to report the news refuse to ask serious questions of the wrongdoers.

So Why? Why did the MBoE never ask BaristaKids who the secret “tipster” was who first brought the security breach to the attention of a news media? Why are four commentators on BaristaKids targeted, but not BaristaKids itself?

The MBoE wants/needs good press to continue its power hungry venture into wrongdoing. But the press also wants to have the first quotes, to able to say “we reached out to” . . . and they answered us.

One can create hysteria about kids who paint graffiti on abandoned buildings (and surely graffiti is not always good), but then to ignore when grown people abuse the law, abuse their government responsibilities, disobey direct court orders, and waste millions of dollars . . . then something is wrong in one’s values and one’s reporting.

Andrew, are you suggesting that the alleged hacker, who we have no evidence actually exists, broke into the district network, leaving no tracks, and either failed in his attempt to make the assessments public, or took the assessments and put them somewhere and he is waiting for us to find them, but the hacker hasn’t yet told us where? Seriously, what scenario are you suggesting that makes sense?

I have gamed this out over and over with the fear that I’m overlooking something or being naive, but each of the scenarios that propose theft don’t play out with any logic or sensibility. I may be missing some facet that would make one of these scenarios work, but so far there is nothing concrete that points to active sabotage.

@tryintosurvive Wrong. The Town Council memo clearly states that “anyone” could have accessed the unsecured and not password protected assessments. It was not a firewall problem or any of the other conjectures or ridiculous questions A. Gideon is asking here. It was simply because Superintendent MacCormack failed to ensure that the assessments were secured when posted on the District website. She could have secured them (and it seems she did before going “home” on Friday evening, October 25), but for a time she left the half million dollar assessments open to the public.

As so so many have already pointed out (and so so many have ignored) Gobookee.org had been (and continues to) scape public documents off the Montclair School District Website. It is not illegal. It is not “theft.” It is not someone “breaking in in the middle of the night.” It is simply irresponsibility on the part of Superintendent MacCormack.

@State Street Pete Not quite true. You can upload to Gobookee.org. I never tried. I have no idea how much that would compromise the security of your computer. Many of Superintendent MacCormack’s “Straight from the Superintendent” brilliant propaganda pieces are there. Perhaps she did upload them herself. We don’t know. Most likely everything was simply scraped.

Like others I commend Georgette’s efforts to clarify this mess. And Andrew is very right that this is an area where experts are needed; the average (and above-average) BOE and Township employees/leaders would never claim to be IT nerds. Seems to me that OFAC is an appropriate party to get to the bottom of what happened.

It’s been an interesting read to this point. I have a question if anyone familiar with gobookee can answer…their website mentions that they have…

“High performance online document crawlers”

and that they are “developers of a brand new online book searching algorithm”

Also, if you do a search on their site, you get access to many Montclair BOE documents. I think the search links right back to the Montclair school website if I remember correctly.

So, I guess my question is (having never seen the opted assessments), if you can access other non assessment documents on this website, does that mean somebody had to have purposely uploaded them also?

@belletoness No one needs to purposely load documents to Gobookee.org. There are many Montclair School District documents on Gobookee.org. Perhaps some were deliberately loaded by Superintendent MacCormack or someone working for her. Perhaps in an effort to have her program in Montclair more widely known. We do not know and she has not been forthcoming about her engagements with Gobookee.org.

Most likely the vast majority of the Montclair School District documents on Gobookee.org were simply scraped by the site itself. Nothing intentional. Nothing illegal.

Most interestingly, Superintendent MacCormack has never informed us how she managed to get documents (including the assessments) removed from Gobookee.org. Its office is in Moscow. It seems impossible to contact except through an online query system. How did she ever manage to get the assessments removed? This is an even bigger question about her relation with Gobookee.org than how the documents got there in the first place. This is a question she could easily answer and it would provide a lot of insight into how she failed in the securing of the assessments. No news agency has ever asked her that question. Why not?

“Georgette was praised for her conduct by many of us, myself included, when Assessmentgate reported on the MBoE subpoenas that Mark Tabakin issued. Only later did Georgette admit to me privately that she had never been served the subpoena and was not even aware of it until Assessmentgate reported it here. Still she silently accepted the praise”

This is another example of you blatantly misrepresenting the facts. When you emailed me asking why I didn’t inform you that I was served a subpoena when you were named on it, my answer to you simply was that I had not been served yet.

I never stated “I was not even aware of it until Assessmentgate reported it here.,” as I was fully aware that a subpoena had been issued to me. Issued and served are different things, but I do not have to discuss my legal matters with you.

We’ve no idea what tracks might or might not exist were someone w/o an interest in not finding them to look. Again: this is why we have others proofread our work. Relying upon the investigation by the two people responsible for the system’s security is naive.

However, I am writing that a firewall is not likely to provide useful information about something that – by definition – it could not detect. It’s not wrong to check, of course, just in case. But the failure to find anything is far from conclusive.

“failed in his attempt to make the assessments public”

They were made public, so I’m not clear on what you mean by “failed” here.

“so far there is nothing concrete that points to active sabotage.”

There is nothing concrete that points to anything. Thus the need for an investigation.

Townie, “Like others I commend Georgette’s efforts to clarify this mess. And Andrew is very right that this is an area where experts are needed; the average (and above-average) BOE and Township employees/leaders would never claim to be IT nerds. Seems to me that OFAC is an appropriate party to get to the bottom of what happened.”

>>Perhaps some were deliberately loaded by Superintendent MacCormack or someone working for her

It seems hard to believe she would be uploading documents to this particular site.

>However, I am writing that a firewall is not likely to provide useful information about something that – by definition – it could not detect.

Andrew, is it possible the firewall would not detect access from this site because it is on some type of “trusted” list? With a firewall, don’t you have to permit access or deem addresses or sites as “trusted” for them to have access? It’s been awhile since I’ve used one.

“is it possible the firewall would not detect access from this site because it is on some type of “trusted” list?”

That’s one way, though in that case the firewall might be set to log the event. I wasn’t really thinking of something like this, though. I’d more in mind something which effectively bypassed the firewall.

“With a firewall, don’t you have to permit access or deem addresses or sites as “trusted” for them to have access?”

In a perfect world, yes. In a less than perfect world, a given firewall may have a rule or ruleset which could have unintended consequences.

Still…now that you have me thinking about it, I’m realizing that the memo’s statement regarding the firewall may be even less significant than I’d first realized. Most break-ins about which I’ve read recently involve exploiting one or more flaws in software on a server. Content Management Systems like Joomla and WordPress suffer from this sort of thing a lot as the quality of the many available plug-ins is not always as high as one would like.

If someone exploited something of this sort, the attack would slide right through the firewall as it would come in the form of an HTTP request: a type of request that the firewall would be explicitly configured to permit from the entire Internet to a web server.

If I recall correctly, it was only a few years ago that a problem of this sort occurred on the town website. In that case, though, I don’t believe any information was leaked. It was “merely” that pages were altered to include “spammy” links.

Andrew – really excellent commentary.
Assessmentgate – Pt 1 – All credit to Andrew. Pt 2 – Maybe, but you are now relegated to a secondary status due to your deal with Mr Tabakin.
IRB – I get confused. Are Some People the 2nd Cousins to Good People and what side of the family are the Unlawful People.
Ms Kulwin – I have never met you, but I have to say – using my best 20/20 hindsight – you made some good decisions.
Mr Dashield – Really, really bad memo. You didn’t answer the question Councilor Spiller supposedly asked.
Council ducking the media – priceless!

The real crime here is that the BOE was paying Alan Benezra $93,000 a year to supposedly administrate this server from his comfy confines in Boulder Colorado where he happens to have enough free time to be a fitness instructor.

This ‘reporting’ has been very biased. How can one trust it? The devil is in the details, and in the power a writer has to omit or cherry pick what she likes.
As an opponant of the BOE’s decision to rush in to Common Core etc. and speaking at a BOE meeting , I was quoted in a baristakids piece by Georgette as simply announcing;
“I’m not uncivil, I’m just smart.”
Now, there were many better quotes Georgette could have chosen from my three minute speech, or she could have actually allowed my quote to make sense
(It was televised so here it is)-

“I signed a petition along with over 500 other people to ask you to wait a year, and now I find that you don’t have the books for maybe a year or two years. I find this shocking. I’m not uncivil, I’m just pretty smart, like many of the other people who have disagreed with you. ”

I went on to say that the BOE was not ready for the changes they were trying to impliment. Earlier I called for a moratorium on the implementation of the Common Core Curriculum.

You have had no problem with my reporting when I spent a morning of my time meeting with you about the opt-out movement and wrote an article about something you felt strongly about. In fact, you thanked me for the article. Or the many times over many years when I wrote about organizations that were near and dear to your heart. However when I quote something you said in public, which when read doesn’t sound very civil, now I’m not to be trusted. Now you feel you have the right to bad mouth me. Of course I didn’t quote the entire 3 minutes of every speaker at that meeting. Like any reporter, I have to choose the stand out quotes. And that’s what I did when I quoted you.

I will continue to report the facts and ask questions that need to be answered. What I won’t do is disrespect people in our community, name call, bully or be bullied.

Georgette; You should at least complete sentences when you use “stand out quotes”. I believe there were many better stand out quotes that night for that matter.
Do not put words in my mouth. I see no name calling. I believe you are biased when it comes to this BOE. Feel free to prove me wrong. I have read about the BOE meetings and have been dismayed when I find that you have ignored interesting arguments and questions posed by our community- at least the ones who oppose this BOE’s actions. If you want to talk about bullying or disrepect- and I find that interesting- I felt quite bullied and disrespected by you when you wrote that ridiculous half quote. I know you did it because you disagree with my message. It was unjust and did not represent what I said that night. I think you should have apologized. You can feel empowered to bad mouth me in the name of reporting, and I may feel free to report the facts as well.
As for reporting on subjects near and dear to my heart. I mostly work to raise awareness about orphans and older child adoption. Thank you for writing about that. There can be no argument there.

I didn’t realize that Baristanet was questioned by the Board of Education concerning the Gobookee incident.

Can you tell us something about who questioned you, what kind of questions you asked, and whether or not you answered them?

And while I realize that there is a lot of snappiness on this thread right now (and, to be perfectly honest, I’m not sure if you were snapping at me or not when you posted questions to me about the timeline of the investigation–I suspect you weren’t), please understand I don’t mean any disrespect with these questions. I am simply curious–especially as it may have implications for those who comment on Baristanet articles.

I meant no disrespect and I thank you for your always respectful dialogue.

I will not get into specifics about what I was questioned, but the only thing I will say, and I won’t comment further after this, is that I didn’t provide names, username of commenters, email addresses, IP addresses, or names of anyone period. Which is why I suspect they served me with a subpoena.

Not sure how much money this “investigation” has cost us taxpayers so far, but for a town so heavily in debt, this seems like a very unnecessary waste of money and time. Too bad my theory went ignored back in October, when this whole silly thing first broke.

“I signed a petition along with over 500 other people to ask you to wait a year, and now I find that you don’t have the books for maybe a year or two years. I find this shocking. I’m not uncivil, I’m just pretty smart, like many of the other people who have disagreed with you. ”

have to agree with rachaelegan here. the part of the Georgette used was entirely out of context and served to make the speaker sound shrill and self-absorbed. quote manipulation is substandard journalism. try harder.

It doesn’t seem out of context to me. I thought Georgette did a pretty good job of getting the gist of all the speakers in that meeting–obviously a thankless job.

Saying that everyone who agrees with you is smart is a step away from saying that everyone who disagrees is dumb, whether the quote comes in its entirety or in the abbreviated form that Georgette included in her report. Either way, it still shows a sharp tongue.

The quote may be accurate, but it leaves out the relevant part of the statement, which is about how 500 people asked that the implementation be delayed, it was not, and then it turns out the district was not prepared. That is the important part of the message, not whether or not the speaker is smart.

Seems like rachaelegan and 500 petition signers were smart enough to know the implementation of the new curriculum was going to be a disaster.

But sure, keep acting like the most important issue facing our schools is that those who were correct to criticize the district’s plan weren’t quite polite enough–at least not for the delicate sensibilities of those who’d rather spent their time concocting ways in which they can still pin the breach on a disgruntled teacher.

I love how the BOE defenders talk/talk/talk about incivility, as if voices of dissent — raised or angary at times — compare to the incivility of the board’s actions over the past 2 1/2 years. stripping benefits from their lowest-paid full-time employees; banishing the MEA president from her normal speaking forum at board meetings for no other reason than to exert its power; refusing to answer questions from taxpayers and teachers; shamelessly turning on the one board member who has dared to publicly question its policies and tone-deaf actions, which have a spoken a hell of a lot louder, and nastier, than any dissenting words.

Leave a Reply

Baristanet Comment Policy:

Baristanet has specific guidelines for commenting. To avoid having your comment deleted -- or your commenting privileges revoked -- read this before you comment. Violators will be banned from commenting.

Report a comment that violates the guidelines to comments@baristanet.com. For trouble with registration or commenting, write to comments@baristanet.com.

Commenters on Baristanet.com are responsible for all legal consequences arising from their comments, including libel, infringement of copyright or actions that threaten a third party. By submitting a comment, you agree to indemnify Baristanet LLC, its partners and employees from any legal action arising from your comments.

In order to comment on the new system, you need to register a new Baristanet account. To get your own avatar next to your comments, sign up at Gravatar.com